STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.

DISA Rule

SV-233903r621666_rule

Vulnerability Number

V-233903

Group Title

SRG-APP-000176-DNS-000094

Rule Version

IDNS-8X-500006

Severity

CAT I

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

1. Navigate to Data Management >> DNS >> Zones.
2. Select the zone, click "Edit", and select the "Name Servers" tab.
3. Mark the Grid Master as "Stealth".
4. If no other name servers are listed, one must be added before the configuration can be valid.
5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
6. Perform a service restart if necessary.

Check Contents

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

By default, ZSK private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage.

1. Navigate to Data Management >> DNS >> Zones.
2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab.
3. When complete, click "Cancel" to exit the "Properties" screen.

If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

Vulnerability Number

V-233903

Documentable

False

Rule Version

IDNS-8X-500006

Severity Override Guidance

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

By default, ZSK private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage.

1. Navigate to Data Management >> DNS >> Zones.
2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab.
3. When complete, click "Cancel" to exit the "Properties" screen.

If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

Check Content Reference

M

Target Key

5251

Comments